[ubuntu-hardened] Nautilus 3.24 and Execute-Permission Bit Required

Jeremy Bicha jbicha at ubuntu.com
Sun Apr 30 22:12:02 UTC 2017

In 2010, the Ubuntu Security Team asked for and received Ubuntu Tech
Board approval for a policy [1] that created nautilus'
06_never_exec_nonexec_launchers.patch [2].

To launch a .desktop file in the home folder, Nautilus requires that
it be marked as executable. Nautilus 3.24 strengthened security by
requiring that it be marked as trusted in the user's gvfs database
[3]. Ubuntu 17.10 "Artful" now has Nautilus 3.24.

The problem is that all existing .desktop launchers now in the home
directory no longer work. And there is not an easy way for a user to
bypass this like they could before 17.10. [4]

Without Ubuntu's patch, Nautilus provides a "Trust and Launch" button.
I have a temporary PPA [5] if you want to test how this works. Be sure
to completely kill nautilus after changing your nautilus version since
it continues to run in the background.

Here are some possibilities:
1. Keep things as are. Existing .desktop launchers will stop working.
We can hope that tools that allow a user to drag-and-drop .desktops to
the home folder will add the metadata themselves. GNOME's Applications
menu extension does this now. [6]
2. Revert the 3.24 change in order to restore 3.22 behavior.
3. Drop Ubuntu's patch. I believe this would need Tech Board approval.

[1] https://wiki.ubuntu.com/SecurityTeam/Policies#Execute-Permission_Bit_Required
[2] https://bazaar.launchpad.net/~ubuntu-desktop/nautilus/ubuntu/view/head:/debian/patches/06_never_exec_nonexec_launchers.patch
[3] https://git.gnome.org/browse/nautilus/commit/?id=1630f5348
[4] https://launchpad.net/bugs/1687179
[5] https://launchpad.net/~jbicha/+archive/ubuntu/temp20170501/+packages
[6] https://launchpad.net/ubuntu/+source/gnome-shell-extensions/3.24.1-0ubuntu1

Jeremy Bicha

More information about the ubuntu-hardened mailing list